[luau] VIDEL Server Back Online

Warren Togami warren at togami.com
Fri Apr 5 03:43:08 PST 2002


My apologizes if you are receiving this message more than once.  This is a
broadcast to all mailing lists on videl.ics.hawaii.edu (and a cautious test
to make sure our Mailman config is correct.)

Here's the entire story about what happened.  We were not hacked, and
contrary to what I posted earlier we weren't having hardware problems.

On Monday when we were informed by CERT that our server was attacking
68.60.131.??? with "ROOTWAR.RPM rootkit".  Immediately we searched Google
and found nothing about that rootkit name.  A reverse lookup revealed that
the address was a Comcast cable modem user.  Our anonymous FTP logs showed
that exact IP address had downloaded Mandrake 8.2 ISO's using WSFTPLE
(Windows FTP client) a few hours before the "attack" occured.  We found this
to be very suspicious, and after a thorough search of our server for over 2
days of downtime analysis we found no signs of a security compromise.  I've
since come to the conclusion that this is some dumb ass Windows user running
something like ZoneAlarm or BlackIce personal firewall, and the program
freaked out when the reverse callback connection of the active FTP protocol
was blocked by the stupid firewall.  He might have cried wolf to CERT, or
more likely it may have been an official looking forged warning from CERT
meant to scare us.

I didn't realize this until now, but the supposed CERT warning was sent to
us on April 1st...

Not wanting to take any risks, we went ahead and rebuilt the server anyway.
Thanks to donations of a 60GB, 120GB hard drive and controller from George
and Scott, it is now RAID 1 on the main system drives and another 120GB of
storage for the FTP mirror.  We also went ahead and used the "vserver"
security package, isolating each service into a isolated partition.  This
should result in much greater security and flexibility, because even if root
is cracked on an individual service there isn't much they can do to the
machine and other services.  You can read about the vserver project here
http://www.solucorp.qc.ca

I'm incredibly pissed that Ray and I wasted so much time in analysing and
rebuilding the server due to what was almost certainly a false alarm, but in
the end, I'm very happy that we learned about "vserver".  I can highly
recommend vserver for anyone that wants to increase their server security or
wants an interesting virtualization/partitioning project.

Anyway, the server is back up so the mailing lists, few web pages and FTP
downloads are back.  Mandrake is currently mirroring onto the server, and I
will try to grab Red Hat, Debian and a few BSD ISO's over the course of the
weekend.

Linux FTP Downloads
ftp://videl.ics.hawaii.edu
MonMotha's IPTables Firewall
http://monmotha.mplug.org
Videl Mailing List Subscriptions
http://videl.ics.hawaii.edu/mailman/listinfo

Warren Togami
warren at togami.com





More information about the LUAU mailing list